Presentation is loading. Please wait.

Presentation is loading. Please wait.

COBIT® as a Risk Management Framework

Similar presentations


Presentation on theme: "COBIT® as a Risk Management Framework"— Presentation transcript:

1 COBIT® as a Risk Management Framework
John W. Lainhart IV CISA, CISM, CGEIT, CIPP/G Partner, Security, Privacy, Wireless & IT Governance IBM Global Business Services Principal Advisory to IT Governance Institute COBIT® as a Risk Management Framework

2 In This Presentation... The Governance Environment
An introduction to IT Governance An introduction to Control Objectives for Information and related Technology (COBIT®) Overview of COBIT® Supporting Materials COBIT® Mappings to Other Standards An introduction to ValIT™ An introduction to RiskIT™ Recently Announced Certification Program – CGEIT Questions

3 IT Governance, COBIT, ValIT and RiskIT Are Brought to You by …

4 IT Governance Institute
IT Governance Institute is a non-profit research think-tank associated with ISACA®

5 IT Governance Institute Product Suite
Governance, Security and Assurance Management Business and Technology Management Governance IT Governance Implementation Guide Information Security Governance Board Briefing on IT Governance COBIT Control Practices IT Assurance Guide COBIT 4.1 Val IT

6 The Governance Environment

7 Forces Driving IT Governance
Business/IT Alignment ROI Compliance Project Execution Security

8 What Makes IT Governance so important?
Strategic importance of IT Extended Enterprise Regulatory requirements Cost optimisation Return on investment Drivers Gartner – more than 600 billion $ thrown away annually on ill conceived or ill executed IT projects Standish Group – about 20% of projects fail outright, 50% are challenged and only 30% are successful ITGI 2005 Survey early findings confirm concerns Low return from high-cost IT investments, and transparency of IT’s performance are two top issues More than 30% claim negative return from IT investments targeting efficiency gains 40% do not have good alignment between IT plans and business strategy Interest in and use of active management of the return on IT investments has doubled in 2 years (28% to 58%)

9 What makes IT Governance so important?
Shareholders want protection for the Enterprise’s Share Price “…if not filed, auditor must include a paragraph in its annual report that it cannot vouch for the enterprise’s ability as a going concern…” “…financial reporting system is not up to speed…” “…the company has lost a third more of its market value yesterday as it revealed a virtual collapse of its financial reporting system…” “…data entry problems…”

10 The Premier IT Leaders polled by ComputerWorld Magazine put these projects at the top of their to-do lists for # 1 on this list is IT Governance, including business alignment From the Dec 10, 2007 issue of Computerworld Magazine (pg 74) Computerworld Magazine is a publication of International Data Group Inc. IBM Confidential|

11 An Overview of IT Governance

12 What is IT Governance? “IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.” ITGI, Board Briefing on IT Governance

13 IT Governance Needs a Management Framework
Driving Forces Map Onto the IT Governance Focus Areas STRATEGIC ALIGNMENT VALUE DELIVERY IT GOVERNANCE PERFORMANCE MEASUREMENT MANAGEMENT RISK RESOURCE MANAGEMENT

14 IT Governance Focus Areas
Strategic alignment, focuses on ensuring the linkage of business and IT plan; on defining, maintaining and validating the IT value proposition; on aligning IT operations with the enterprise operations; and establishing collaborative solutions to Add value and competitive positioning to the enterprise’s products and services Contain costs while improving administrative efficiency and managerial effectiveness

15 IT Governance Focus Areas
Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising expenses and proving the value of IT, and on controlling projects and operational processes with practices that increase the probability of success (quality, risk, time, budget, cost, etc)

16 IT Governance Focus Areas
Risk management requires risk awareness of senior corporate officers, a clear under- standing of the enterprise’s appetite for risk and transparency about the significant risks to the enterprise; it embeds risk management responsibilities in the operation of the enterprise and specifically addresses the safeguarding of IT assets, disaster recovery and continuity of operations

17 IT Governance Focus Areas
Resource management covers the optimal investment, use and allocation of IT resources and capabilities (people, applications, technology, facilities, data) in servicing the needs of the enterprise, maximising the efficiency of these assets and optimising their costs, and specifically focusses on optimising knowledge and the IT infrastructure and on where and how to outsource

18 IT Governance Focus Areas
Performance measurement, tracking project delivery and monitoring IT services, using balanced scorecards that translate strategy into action to achieve goals measur-able beyond conventional accounting, measuring those relationships and knowledge-based assets necessary to compete in the information age: customer focus, process efficiency and the ability to learn and grow.

19 IT Governance Life Cycle

20 IT Governance Control Cycle

21 IT Governance Control Cycle
Assess Environment Based on COBIT®, develop an approach for improved internal control to meet regulatory requirements that incorporates business and IT mission, vision, and strategy Establish risk management strategy Formally document existing processes

22 IT Governance Control Cycle
Maintain IT Controls Framework Develop controls framework to supports sound business decisions Document integration points in the current environment Create an organizational mechanism to support the governance of IT Mitigate identified risks through the IT controls framework

23 IT Governance Control Cycle
Develop & Refine Governing Documents Utilize a central repository for governing documents Develop a consistent approach for creating governing documents Consistently apply processes and procedures Gain executive commitment for IT governance frameworks and structure

24 IT Governance Control Cycle
Communicate and Train Provide “Tone at the Top” Develop a strategic communication plan for mission objectives and overall management direction Execute strategic communication plan Implement a standard training program to avoid unnecessary and redundant training

25 IT Governance Control Cycle
Implement and Operate Align staff responsibilities with IT control objectives Achieve sustainability of IT controls in the operational environment Support continuous improvement of operational effectiveness and accountability

26 IT Governance Control Cycle
Measure and Validate Revise current metrics program to include newly defined controls Verify the sustainability of defined controls Develop cost effective automated measurements Measure all processes to include Applications, Databases, Platforms and Networks

27 IT Governance Control Cycle
Monitor and Report Report on continued effectiveness of controls Increase transparency to auditors of issues and actions taken Accurately attest to IT’s compliance with policy, laws, and regulations Improve existing processes using metrics trending

28 IT Governance Control Cycle
Enforce Reinforce required policy compliance and standards conformance Define a consistent approach for enforcement across all processes

29 An Overview of COBIT

30 COBIT 4.1—The IT Governance Framework
IT Processes IT Management Processes IT Governance Processes CobiT best practices repository for COBIT Internationally accepted good practices Management-oriented Freely available Sharing knowledge and leveraging expert volunteers Continually evolving Maintained by reputable not-for-profit organisation Maps 100% to COSO Maps strongly to all major related standards Is a reference, set of best practices, not an “off-the-shelf” cure Enterprises still needs to analyse their control requirements and customise based on: Value drivers Risk profile IT infrastructure, organisation and project portfolio The only IT management and control framework that covers the end-to-end IT life cycle

31 COBIT: An IT Control Framework
Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives Promotes process focus and process ownership Divides IT into 4 domains and 34 processes, with a total of 210 control objectives Looks at fiduciary, quality and security needs of enterprises and provides for seven information criteria that can be used to generically define what the business requires from IT Addresses the resources made available to and built up by IT Domains: 1. Plan & Organize 2. Acquire & Implement 3. Delivery & Support 4. Monitor & Evaluate Information Criteria: 1. Effectiveness 2. Efficiency 3. Availability 4. Integrity 5. Confidentiality 6. Reliability 7. Compliance IT Resources: 1. Applications 2. Information 3. Infrastructure 4. People

32 Key Driving Forces for COBIT
How IT is organised to respond to the requirements What the stakeholders expect from IT The resources made available to—and built up by—IT Business Requirements IT Resources IT Processes Plan and Organise Aquire and Implement Deliver and Support Monitor and Evaluate Applications Information Infrastructure People Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information reliability

33 IT Life Cycle COBIT Framework Business Objectives Criteria
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability IT Resources Applications Information Infrastructure People Monitor and Evaluate Plan and Organise IT Life Cycle Deliver and Support Acquire and Implement

34 COBIT Processes Plan and Organise Acquire and Implement PO1
Define an IT Strategic Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organisation and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects Plan and Organise Acquire and Implement

35 COBIT Processes Deliver and Support Monitor and Evaluate ME1
Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Compliance With External Requirements ME4 Provide IT Governance Monitor and Evaluate

36 COBIT PC and AC Processes
Process Goals and Objectives PC2 Process Ownership PC3 Process Responsibility PC4 Roles and Responsibilities PC5 Policy, Plans and Procedures PC6 Process Performance Improvement Process Controls AC1 Source Data Preparation and Authorization AC2 Source Data Collection and Entry AC3 Accuracy, Completeness and Authenticity Checks AC4 Processing Integrity and Validity AC5 Output Review, Reconciliation and Error Handling AC6 Transmission Authentication and Integrity Application Controls

37 Process Level Navigating in COBIT

38 Control Objectives P09.6 Maintenance and Monitoring of a Risk Action Plan Prioritise and plan the control activities at all levels to implement the risk responses identified as necessary, including identification of costs, benefits and responsibility for execution. Obtain approval for recommended actions and acceptance of any residual risks, and ensure that committed actions are owned by the affected process owner(s). Monitor execution of the plans, and report on any deviations to senior management.

39 Management Guidelines

40 Management Guidelines

41 Maturity Model

42 Maturity Levels in COBIT
Non-existent Initial Repeatable Defined Managed Optimised 1 2 3 4 5 0 - Management processes are not applied at all. 1 - Processes are ad hoc and disorganised. 2 - Processes follow a regular pattern. 3 - Processes are documented and communicated. 4 - Processes are monitored and measured. 5 - Best practices are followed and automated.

43 Dimensions of Process Maturity in COBIT
We capture process maturity data on each of six dimensions: Awareness and communication Policies, standards and procedures Tools and automation Skills and expertise Responsibility and accountability Goal setting and measurement

44 Leverage COBIT® Supporting Materials ...

45 Implementation Guide

46 Implementation Guide IT Governance Implementation Guide, 2nd Edition
Detailed, structured guidance to the implementation of IT governance Generic IT governance implementation guidance, not just COBIT

47 Control Practices

48 Control Practices COBIT Control Practices, 2nd Edition
Detailed guidance on each of the control objectives Management-oriented From three to 12 control practices per control objective

49 Assurance Guide

50 Assurance Guide IT Assurance Guide: Using COBIT
Detailed guidance to support assurance practitioners in: Financial statement audit Internal audit Value for money Operational improvement Guidance on: How to leverage COBIT for assurance Detailed assurance testing steps

51 Quickstart

52 Quickstart For small and medium sized organizations and larger organizations wanting to quickstart IT governance Selection of components from the complete COBIT framework Can be used as a baseline (set of “smart things to do”) for small and medium-sized enterprises and other entities where IT is not strategic or absolutely critical for survival Can also be a starting point for larger enterprises in their first moves toward an appropriate level of control and governance of IT

53 COBIT Security Baseline

54 COBIT Security Baseline - 44 Steps Toward Security
Define the security strategy - 1 Define the IT organisation and relationships - 1 Communicate management aims and direction - 1 Manage IT human resources - 4 Assess and manage IT risks - 3 Identify automated solutions - 1 Acquire and maintain application and technology infrastructure - 3 Enable operation and use - 1 Manage changes - 2 Install and accredit solutions and changes - 2 Define and manage service levels - 1 Manage third-party services - 3 Ensure continuous service - 3 Ensure systems security - 8 Manage the configuration - 2 Manage data - 3 Manage the physical environment - 2 Monitor and evaluate IT performance—assess internal control adequacy - 1 Obtain independent assurance - 1 Ensure regulatory compliance – 1 6 Information Security Survival Kits Home Users Professional Users Managers Executives Senior Executives Board of Directors/Trustees

55 COBIT Mappings to Other Frameworks and Standards

56 Where COBIT Typically Sits
King COSO Governance Layer COBIT Governance Layer IT ITIL 17799 Management Layer IT CMM TickIT

57 How COBIT Relates to Frameworks and Standards
Strategic 17799 COBIT Process Control CMM XY XY XY XY XY ITIL ## ## ## ## ## Process Execution Work Instruction Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6….

58 How COBIT Relates to Frameworks and Standards
Strategic 17799 COBIT Process Control CMM XY XY XY XY XY ITIL ## ## ## ## ## Process Execution Work Instruction Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6….

59 An Overview of ValIT

60 The Information Paradox
? The value of IT is being increasingly questioned... …yet organizations continue to spend more and more on IT SKIP 60

61 The Fundamental Question
Are we maximizing the value of our IT-enabled business investments such that: we are getting optimal benefits; at an affordable cost; and with an acceptable level of risk? Over the full economic life-cycle of the investment

62 Without Effective Governance
SYMPTOMS Situation Reluctance to say no to projects Lack of Strategic Focus Projects are “sold” on emotional basis -- not selected No strong review process Overemphasis on Financial ROI No clear strategic criteria for selection Can’t kill projects Leads to.. Too many projects Quality of execution suffers Underestimation of risks and costs Projects not aligned to strategy Budget overruns Project delays Business needs not met Lack of confidence (in IT) Results in.. Benefits not received Increased Complexity Sub-optimal use of resources Finger pointing Source: Fujitsu

63 Continuously Need to Question
The strategic question. Is the investment: In line with our vision? Consistent with our business principles? Contributing to our strategic objectives? Providing optimal value, at affordable cost, at an acceptable level of risk? In the value question. Do we have: A clear and shared understanding of the expected benefits? Clear accountability for realising the benefits? Relevant metrics? An effective benefits realisation process? Some fundamental questions about the value enabled by IT The architecture question. Is the investment: In line with our architecture? Consistent with our architectural principles? Contributing to the population of our architecture? In line with other initiatives? The delivery question. Do we have: Effective and disciplined delivery and change management processes? Competent and available technical and business resources to deliver: the required capabilities; and the organisational changes required to leverage the capabilities? Source: The Information Paradox

64 Val IT Processes & Key Management Practices

65 P3M -Projects, Programs, and Portfolios
Portfolio – a suite of business programmes managed to optimise overall enterprise value Portfolio Management Programme – a structured grouping of projects designed to produce clearly identified business value Programme Management Project Management Project – a structured set of activities concerned with delivering a defined capability based on an agreed schedule and budget

66 Val IT Relationship between Processes & Practices
Establish governance framework VG1-4, 6 -7 Establish portfolio parameters VG Provide strategic direction VG5, 9-11 VG8 PM1-5 PM6 Maintain resource profile Maintain funding profile Evaluate & prioritize investments PM14 PM7-10 Move selected investments to active portfolio Manage overall portfolio Monitor & report on portfolio performance PM PM11 PM12-13 Analyse alternatives Assign accountability Document business case Identify business req’ts Define candidate programme IM4 IM9 IM1-2 IM8, 13 IM3, 5-7 Launch programme Manage programme execution Monitor & report on programme performance Retire programme IM IM10 IM 11-12 IM15 IM14

67 Val IT Initiative …a value lens into COBIT™
Are we doing the right things? Are we doing them the right way? Are we doing them well? Are we getting the benefits? PO AI ME DS PM VG IM Val IT Governance & management of a portfolio of business change programmes COBIT Governance & management of a portfolio of technology projects, services, systems & supporting infrastructure

68 Val IT Initiative Status
DONE Framework Business Case Case Study (initial) Extend FW to services & other IT assets/ resources & Simplify Maturity Models Management Guidelines Taxonomy QuickStart Guide 1st Qtr. of 2008 IN PROCESS Business Case v2.0 Empirical Analysis Benchmarking PLANNED Available for free download from: or

69 The Business Challenge
Maximizing value and reducing risk made possible by IT both enables and requires a through IT governance approach that: Ensures clarity of, and accountability for the desired outcomes Enables understanding of the full scope of effort Breaks down the “silos” and “connects the dots” Manage the full economic life-cycle Senses and responds to changes and deviations This is a significant leadership challenge, opportunity and responsibility!

70 The RiskIT Initiative

71 RISKIT DESCRIPTION A risk management framework that provides the missing link between enterprise risk management and IT Management and control, fitting in the overall IT Governance framework of ITGI, and building upon all existing risk related components within the current frameworks, i.e., COBIT and Val IT A number of related services and products (practical guides, reference data, interfaces/mapping with other standards, …)

72 RISKIT ACTIONS ITGI Board discussion on this initiative and decision to proceed with full business case development (July 2007) Business Case development, (October 2007) including Market survey Feasibility study High-level design of the product/service Set-up project governance structure, incl. Core Team, expert team, identify project manager(s) and potential resources Define high-level development and roll-out plan ITGI Board approved detailed business case and decision to proceed with full project (November 2007) RiskIT Task Force members appointed (December 2007) First RiskIT Task Force meeting held in Ghent, Belgium on January 2008 First draft RiskIT planned to be issued by December 2008

73 RiskIT Processes & Key Management Practices
As of 19 January 2008 first Task Force meeting in Ghent, Belgium High Level Risk Management Guidance: COSO ERM, AS/NZS 4360, etc

74 RISK IT Product Family – Proposed Content & Lifecycle

75 RELATIONSHIP OF COBIT/VALIT/RISKIT

76 Certified in the Governance of Enterprise IT (CGEIT)

77 Questions


Download ppt "COBIT® as a Risk Management Framework"

Similar presentations


Ads by Google